Hi folks, I am just getting into rails again after a multi-year stint of mod_perl jobs, which might grant me some newbie-indemnity for the time being - but I've found an issue I think warrants discussion.
As discussed here - http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html - the CSRF protection feature does not kick in for GET requests. This is under the assumption that GET requests are idempotent. There is a (big, IMO) problem with this: unless the controller action which receives the POST request manually validates that the request is a POST as expected, it is wide open to CSRF. All the attacker has to do is construct the same form submission that would be a POST as an unexpected GET request instead, which is actually easier to do from a remote CSRF attackers point of view. The controller will then happily do all the work requested of it without the token being present at all. How many rails developers do we think put a POST-method validation filter around all their form processing code, and yet expect protect_from_forgery stills somehow protects the actions? Also, it appears that the authenticity token is not inserted into forms automatically when the form is specified as a GET. While GET requests *should* be idempotent, it is quite common for them not to be. Consider for instance on Yahoo! search which remembers (server- side) your most recent searches. Searches then are effectively non- idempotent GET requests and should include a CSRF protection as a result. So in reality, GET vs POST is much more of an HTTP distinction than an application distinction, and framework-level "blessed" security measures should not hinge on adherence to protocol practices that are easily and often pragmatically bent or broken, especially when it's up to the attacker which method to invoke. IMO this feature is providing a rather false sense of security to the community without documenting the clear steps needed to take in order to actually obtain CSRF protection for a particular action. JSW -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-t...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
